PicoCTF-2019 Writeup
  • HHousen PicoCTF-2019 Writeup
  • Binary Exploitation
    • L1im1tL355
    • messy-malloc
    • OverFlow 2
    • CanaRy
    • NewOverFlow-1
    • NewOverFlow-2
    • sice_cream
    • seed-sPRiNG
    • leap-frog
    • GoT
    • rop64
    • rop32
    • Ghost_Diary
    • zero_to_hero
    • Challenge Name
    • Heap overflow
    • slippery-shellcode
    • AfterLife
    • SecondLife
    • stringzz
  • Cryptography
    • la cifra de
    • b00tl3gRSA2
    • b00tl3gRSA3
    • AES-ABC
    • john_pollard
    • b00tl3gRSA2
    • waves over lambda
  • Forensics
    • What Lies Within
    • m00nwalk
    • shark on wire 1
    • shark on wire 2
    • Glory of the Garden
    • pastaAAA
    • Investigative Reversing 0
    • Investigative Reversing 1
    • extensions
    • investigation_encoded_1
    • Investigative Reversing 2
    • investigation_encoded_2
    • Investigative Reversing 3
    • like1000
    • Investigative Reversing 4
    • WebNet0
    • B1g_Mac
    • m00nwalk 2
    • WebNet1
    • WhitePages
    • So Meta
    • c0rrupt
  • Web Exploitation
    • Java Script Kiddie 2
    • Empire1
    • Empire2
    • cereal hacker 1
    • Empire3
    • cereal hacker 2
    • Java Script Kiddie
    • JaWT Scratchpad
    • Irish-Name-Repo 1
    • Irish-Name-Repo 2
    • Irish-Name-Repo 3
  • Reverse Engineering
    • Time's Up, Again!
    • Forky
    • droids0
    • Challenge Name
    • droids1
    • droids2
    • droids3
    • reverse_cipher
    • droids4
    • B1ll_Gat35
    • Time's Up
    • Time's Up, For the Last Time!
    • asm1
    • asm2
    • asm3
    • asm4
  • Challenge Name
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on Git
  1. Binary Exploitation

CanaRy

PreviousOverFlow 2NextNewOverFlow-1

Last updated 4 years ago

Was this helpful?

Problem

This time we added a canary to detect buffer overflows. Can you still find a way to retreive the flag from this program located in /problems/canary_2_dffbf795b4788666d54a993a5e41d145. Source.

Solution

  1. BUF_SIZE is 32 bytes so offset by 'a'*32 since canary will be next in stack

  2. Leak the canary by running the file on the shell server

  3. Paste Canary into on line 13

  4. Offset after canary determined using cyclic(24) and cyclic_find() with python2 -c "from pwn import *; print 'a'*32 + 'ex;Y' + cyclic(100)" | ./vuln locally to get offset as 'a'*16.

  5. Last 1.5 bytes of display_flag function determined with readelf -s vuln

  6. First byte found with gdb by placing a breakpoint at vuln and running which got Breakpoint 1, 0x56622a14 in main () and more importantly the first byte 0x56

  7. Loops in hex are used to bruteforce every possible value for the remaining 1.5 bytes and p32 from pwntools is used to convert to little endian

  8. Run on shell server by pasting bruteforce_pie function (after running from pwn import *) into python terminal and then running print bruteforce_pie()

  9. Flag will appear in a few minutes

  10. If the flag doesn't appear after running the program then run it again and it will work (the program doesn't check addresses with zeros in them)

Flag

picoCTF{cAnAr135_mU5t_b3_r4nd0m!_1df5fde9}

Program
Source
break-canary.py
bruteforce-pie.py
bruteforce-pie.py